Reply to post: Re: Nat as a security measure

IPv6 is great, says Facebook. For us. And for you a bit, too

Anonymous Coward
Anonymous Coward

Re: Nat as a security measure

Also as NAT often goes hand in hand with PAT on a router, generally the set up to allow access to a server with a private IP via NAT specifies the port to allow it on.

It is much easier to accidentally open up access to a single IP (IPv6) from public and not open up a single port.

Also from a firewall point of view the separation between your private/trusted network and your public network is defined and obvious from the network address space. WIthout NAT and pure public addresses you must ensure you are using the interfaces correctly on your firewall to segregate the traffic. With a simple two interface firewall that is not a problem. However when you have multi-DMZ using a mix of physical and virtual interfaces and semi trusted zones there is more room for a misconfiguration.

Sure anyone dealing with high end firewalls will have a good ITSM procedure configuration testing etc, but a busy IT team with no specialists and multiple configurators can make mistakes.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019